[selinux-policy: 1043/3172] policy-20051208.patch from dan, plus a few adjustments
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:35:05 UTC 2010
commit 049e11af3026b9548f601d86b5c2412405a07f56
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Dec 9 15:42:39 2005 +0000
policy-20051208.patch from dan, plus a few adjustments
refpolicy/Makefile | 7 +---
refpolicy/Rules.modular | 9 ++++
refpolicy/Rules.monolithic | 11 +++++-
.../config/appconfig-targeted-mcs/default_contexts | 5 +-
.../config/appconfig-targeted-mls/default_contexts | 5 +-
.../config/appconfig-targeted/default_contexts | 5 +-
refpolicy/policy/modules/admin/su.if | 9 ++--
refpolicy/policy/modules/admin/su.te | 2 +-
refpolicy/policy/modules/kernel/filesystem.te | 3 +-
refpolicy/policy/modules/services/canna.te | 3 +-
refpolicy/policy/modules/services/cups.te | 4 +-
refpolicy/policy/modules/services/dbus.te | 4 +-
refpolicy/policy/modules/services/ftp.te | 32 ++++++++-------
refpolicy/policy/modules/services/hal.te | 41 ++++++++++++--------
refpolicy/policy/modules/services/mta.te | 11 +-----
refpolicy/policy/modules/services/sasl.te | 4 +-
refpolicy/policy/modules/services/spamassassin.te | 4 ++
refpolicy/policy/modules/services/xdm.te | 8 +--
refpolicy/policy/modules/system/hostname.te | 3 +-
refpolicy/policy/modules/system/init.if | 32 ---------------
refpolicy/policy/modules/system/libraries.fc | 8 +++-
refpolicy/policy/modules/system/libraries.te | 10 +---
refpolicy/policy/modules/system/locallogin.te | 7 ---
refpolicy/policy/modules/system/mount.te | 3 +-
24 files changed, 107 insertions(+), 123 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 0e39ad2..9122171 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -137,7 +137,7 @@ M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
APPCONF := config/appconfig-$(TYPE)
APPDIR := $(CONTEXTPATH)
-APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
+APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
USER_FILES := $(POLDIR)/users
@@ -274,11 +274,6 @@ $(APPDIR)/removable_context: $(APPCONF)/removable_context
@mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@
-$(APPDIR)/customizable_types: policy.conf
- @mkdir -p $(APPDIR)
- $(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
- $(QUIET) install -m 644 tmp/customizable_types $@
-
$(APPDIR)/default_type: $(APPCONF)/default_type
@mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index a152bae..d988436 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -170,6 +170,15 @@ endif
########################################
#
+# Appconfig files
+#
+$(APPDIR)/customizable_types: base.conf
+ @mkdir -p $(APPDIR)
+ $(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+ $(QUIET) install -m 644 tmp/customizable_types $@
+
+########################################
+#
# Clean the sources
#
clean:
diff --git a/refpolicy/Rules.monolithic b/refpolicy/Rules.monolithic
index 652bece..0d6aa7d 100644
--- a/refpolicy/Rules.monolithic
+++ b/refpolicy/Rules.monolithic
@@ -12,7 +12,7 @@ HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
FC := file_contexts
POLVER := policy.$(PV)
-APPFILES += $(APPDIR)/customizable_types $(INSTALLDIR)/booleans
+APPFILES += $(INSTALLDIR)/booleans
# for monolithic policy use all base and module to create policy
ALL_MODULES := $(strip $(BASE_MODS) $(MOD_MODS))
@@ -228,6 +228,15 @@ longcheck: policy.conf $(FC)
########################################
#
+# Appconfig files
+#
+$(APPDIR)/customizable_types: policy.conf
+ @mkdir -p $(APPDIR)
+ $(QUIET) grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+ $(QUIET) install -m 644 tmp/customizable_types $@
+
+########################################
+#
# Clean the sources
#
clean:
diff --git a/refpolicy/config/appconfig-targeted-mcs/default_contexts b/refpolicy/config/appconfig-targeted-mcs/default_contexts
index 1a98643..b3dddce 100644
--- a/refpolicy/config/appconfig-targeted-mcs/default_contexts
+++ b/refpolicy/config/appconfig-targeted-mcs/default_contexts
@@ -1,8 +1,9 @@
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0
system_r:local_login_t:s0 system_r:unconfined_t:s0
system_r:remote_login_t:s0 system_r:unconfined_t:s0
system_r:rshd_t:s0 system_r:unconfined_t:s0
-system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:sshd_t:s0 system_r:unconfined_t:s0
system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
+system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:xdm_t:s0 system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted-mls/default_contexts b/refpolicy/config/appconfig-targeted-mls/default_contexts
index 1a98643..b3dddce 100644
--- a/refpolicy/config/appconfig-targeted-mls/default_contexts
+++ b/refpolicy/config/appconfig-targeted-mls/default_contexts
@@ -1,8 +1,9 @@
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:initrc_t:s0 system_r:unconfined_t:s0
system_r:local_login_t:s0 system_r:unconfined_t:s0
system_r:remote_login_t:s0 system_r:unconfined_t:s0
system_r:rshd_t:s0 system_r:unconfined_t:s0
-system_r:crond_t:s0 system_r:unconfined_t:s0
system_r:sshd_t:s0 system_r:unconfined_t:s0
system_r:sysadm_su_t:s0 system_r:unconfined_t:s0
+system_r:unconfined_t:s0 system_r:unconfined_t:s0
+system_r:xdm_t:s0 system_r:unconfined_t:s0
diff --git a/refpolicy/config/appconfig-targeted/default_contexts b/refpolicy/config/appconfig-targeted/default_contexts
index dee752d..d91373a 100644
--- a/refpolicy/config/appconfig-targeted/default_contexts
+++ b/refpolicy/config/appconfig-targeted/default_contexts
@@ -1,8 +1,9 @@
-system_r:unconfined_t system_r:unconfined_t
+system_r:crond_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
system_r:local_login_t system_r:unconfined_t
system_r:remote_login_t system_r:unconfined_t
system_r:rshd_t system_r:unconfined_t
-system_r:crond_t system_r:unconfined_t
system_r:sshd_t system_r:unconfined_t
system_r:sysadm_su_t system_r:unconfined_t
+system_r:unconfined_t system_r:unconfined_t
+system_r:xdm_t system_r:unconfined_t
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 9fd6679..95a87c2 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -43,6 +43,11 @@ template(`su_restricted_domain_template', `
# for SSP
dev_read_urand($1_su_t)
+ files_read_etc_files($1_su_t)
+ files_read_etc_runtime_files($1_su_t)
+ files_search_var_lib($1_su_t)
+ files_dontaudit_getattr_tmp_dir($1_su_t)
+
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
selinux_compute_access_vector($1_su_t)
@@ -56,10 +61,6 @@ template(`su_restricted_domain_template', `
domain_use_wide_inherit_fd($1_su_t)
- files_read_etc_files($1_su_t)
- files_read_etc_runtime_files($1_su_t)
- files_search_var_lib($1_su_t)
-
init_dontaudit_use_fd($1_su_t)
init_dontaudit_use_script_pty($1_su_t)
# Write to utmp.
diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te
index 65aaf77..9078ccf 100644
--- a/refpolicy/policy/modules/admin/su.te
+++ b/refpolicy/policy/modules/admin/su.te
@@ -1,5 +1,5 @@
-policy_module(su,1.0.1)
+policy_module(su,1.1.1)
########################################
#
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index df2bf26..9b0e3ff 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.0.1)
+policy_module(filesystem,1.1.1)
########################################
#
@@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
# Requires that a security xattr handler exist for the filesystem.
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
diff --git a/refpolicy/policy/modules/services/canna.te b/refpolicy/policy/modules/services/canna.te
index b119afe..a39ac7f 100644
--- a/refpolicy/policy/modules/services/canna.te
+++ b/refpolicy/policy/modules/services/canna.te
@@ -1,5 +1,5 @@
-policy_module(canna,1.0)
+policy_module(canna,1.1.1)
########################################
#
@@ -47,7 +47,6 @@ files_create_pid(canna_t, canna_var_run_t, { file sock_file })
kernel_read_kernel_sysctl(canna_t)
kernel_read_system_state(canna_t)
-kernel_dontaudit_use_fd(canna_t)
corenet_tcp_sendrecv_all_if(canna_t)
corenet_raw_sendrecv_all_if(canna_t)
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 1ff7d20..05aed4c 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.0.3)
+policy_module(cups,1.1.1)
########################################
#
@@ -505,6 +505,8 @@ allow cupsd_config_t cupsd_etc_t:file create_file_perms;
allow cupsd_config_t cupsd_etc_t:lnk_file create_lnk_perms;
type_transition cupsd_config_t cupsd_etc_t:file cupsd_rw_etc_t;
+allow cupsd_config_t cupsd_log_t:file rw_file_perms;
+
allow cupsd_config_t cupsd_rw_etc_t:dir rw_dir_perms;
allow cupsd_config_t cupsd_rw_etc_t:file manage_file_perms;
allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index 64d25a9..75bdf43 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
-policy_module(dbus,1.0.2)
+policy_module(dbus,1.1.1)
gen_require(`
class dbus { send_msg acquire_svc };
@@ -32,7 +32,7 @@ files_pid_file(system_dbusd_var_run_t)
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
-allow system_dbusd_t self:process { getattr signal_perms };
+allow system_dbusd_t self:process { getattr signal_perms setcap };
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index 1a83d1c..0b90109 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp,1.0.2)
+policy_module(ftp,1.1.1)
########################################
#
@@ -71,8 +71,11 @@ kernel_read_system_state(ftpd_t)
dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
-fs_search_auto_mountpoints(ftpd_t)
-fs_getattr_all_fs(ftpd_t)
+corecmd_exec_bin(ftpd_t)
+corecmd_exec_sbin(ftpd_t)
+# Execute /bin/ls (can comment this out for proftpd)
+# also may need rules to allow tar etc...
+corecmd_exec_ls(ftpd_t)
corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
@@ -89,26 +92,25 @@ corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_connect_all_ports(ftpd_t)
+domain_use_wide_inherit_fd(ftpd_t)
+
+files_search_etc(ftpd_t)
+files_read_etc_files(ftpd_t)
+files_read_etc_runtime_files(ftpd_t)
+files_search_var_lib_dir(ftpd_t)
+
+fs_search_auto_mountpoints(ftpd_t)
+fs_getattr_all_fs(ftpd_t)
+
term_dontaudit_use_console(ftpd_t)
+auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
-corecmd_exec_bin(ftpd_t)
-corecmd_exec_sbin(ftpd_t)
-# Execute /bin/ls (can comment this out for proftpd)
-# also may need rules to allow tar etc...
-corecmd_exec_ls(ftpd_t)
-
-domain_use_wide_inherit_fd(ftpd_t)
-
-files_search_etc(ftpd_t)
-files_read_etc_files(ftpd_t)
-files_read_etc_runtime_files(ftpd_t)
-
init_use_fd(ftpd_t)
init_use_script_pty(ftpd_t)
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index 8f5a8f3..9bb932a 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.0.4)
+policy_module(hal,1.1.1)
########################################
#
@@ -23,11 +23,13 @@ files_pid_file(hald_var_run_t)
allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod sys_rawio };
dontaudit hald_t self:capability sys_tty_config;
-allow hald_t self:process signal_perms;
+# vbetool requires execmem
+allow hald_t self:process { execmem signal_perms };
allow hald_t self:fifo_file rw_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow hald_t self:unix_dgram_socket create_socket_perms;
allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
allow hald_t self:tcp_socket create_stream_socket_perms;
allow hald_t self:udp_socket create_socket_perms;
@@ -47,6 +49,9 @@ kernel_read_network_state(hald_t)
kernel_read_kernel_sysctl(hald_t)
kernel_write_proc_file(hald_t)
+corecmd_exec_bin(hald_t)
+corecmd_exec_sbin(hald_t)
+
corenet_tcp_sendrecv_all_if(hald_t)
corenet_udp_sendrecv_all_if(hald_t)
corenet_raw_sendrecv_all_if(hald_t)
@@ -59,7 +64,6 @@ corenet_non_ipsec_sendrecv(hald_t)
corenet_tcp_bind_all_nodes(hald_t)
corenet_udp_bind_all_nodes(hald_t)
-dev_read_sysfs(hald_t)
dev_rw_usbfs(hald_t)
dev_read_urand(hald_t)
dev_read_input(hald_t)
@@ -68,6 +72,20 @@ dev_rw_printer(hald_t)
dev_read_lvm_control(hald_t)
dev_getattr_all_chr_files(hald_t)
dev_manage_generic_chr_file(hald_t)
+# hal is now execing pm-suspend
+dev_rw_sysfs(hald_t)
+
+domain_use_wide_inherit_fd(hald_t)
+domain_exec_all_entry_files(hald_t)
+
+files_exec_etc_files(hald_t)
+files_read_etc_files(hald_t)
+files_rw_etc_runtime_files(hald_t)
+files_search_mnt(hald_t)
+files_search_var_lib(hald_t)
+files_read_usr_files(hald_t)
+# hal is now execing pm-suspend
+files_create_boot_flag(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
@@ -87,19 +105,6 @@ storage_raw_write_fixed_disk(hald_t)
term_dontaudit_use_console(hald_t)
-corecmd_exec_bin(hald_t)
-corecmd_exec_sbin(hald_t)
-
-domain_use_wide_inherit_fd(hald_t)
-domain_exec_all_entry_files(hald_t)
-
-files_exec_etc_files(hald_t)
-files_read_etc_files(hald_t)
-files_rw_etc_runtime_files(hald_t)
-files_search_mnt(hald_t)
-files_search_var_lib(hald_t)
-files_read_usr_files(hald_t)
-
init_use_fd(hald_t)
init_use_script_pty(hald_t)
@@ -171,6 +176,10 @@ optional_policy(`nscd',`
nscd_use_socket(hald_t)
')
+optional_policy(`ntp',`
+ ntp_domtrans(hald_t)
+')
+
optional_policy(`pcmcia',`
pcmcia_manage_pid(hald_t)
pcmcia_manage_runtime_chr(hald_t)
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 810d711..ea66396 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.0.4)
+policy_module(mta,1.1.1)
########################################
#
@@ -57,15 +57,6 @@ init_use_script_pty(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
-ifdef(`hide_broken_symptoms',`
- # Red Hat systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_redhat',`
- kernel_dontaudit_use_fd(system_mail_t)
- storage_dontaudit_read_fixed_disk(system_mail_t)
- ')
-')
-
ifdef(`targeted_policy',`
typealias system_mail_t alias sysadm_mail_t;
diff --git a/refpolicy/policy/modules/services/sasl.te b/refpolicy/policy/modules/services/sasl.te
index c81a934..f1b37d4 100644
--- a/refpolicy/policy/modules/services/sasl.te
+++ b/refpolicy/policy/modules/services/sasl.te
@@ -18,6 +18,7 @@ files_pid_file(saslauthd_var_run_t)
# Local policy
#
+allow saslauthd_t self:capability setuid;
dontaudit saslauthd_t self:capability sys_tty_config;
allow saslauthd_t self:process signal_perms;
allow saslauthd_t self:fifo_file { read write };
@@ -56,9 +57,10 @@ auth_use_nsswitch(saslauthd_t)
domain_use_wide_inherit_fd(saslauthd_t)
files_read_etc_files(saslauthd_t)
-files_read_etc_runtime_files(saslauthd_t)
+files_dontaudit_read_etc_runtime_files(saslauthd_t)
files_search_var_lib(saslauthd_t)
files_dontaudit_getattr_home_dir(saslauthd_t)
+files_dontaudit_getattr_tmp_dir(saslauthd_t)
init_use_fd(saslauthd_t)
init_use_script_pty(saslauthd_t)
diff --git a/refpolicy/policy/modules/services/spamassassin.te b/refpolicy/policy/modules/services/spamassassin.te
index ba7b467..3c6bdb9 100644
--- a/refpolicy/policy/modules/services/spamassassin.te
+++ b/refpolicy/policy/modules/services/spamassassin.te
@@ -73,6 +73,10 @@ corenet_non_ipsec_sendrecv(spamd_t)
corenet_tcp_bind_all_nodes(spamd_t)
corenet_udp_bind_all_nodes(spamd_t)
corenet_tcp_bind_spamd_port(spamd_t)
+# spamassassin 3.1 needs this for its
+# DnsResolver.pm module which binds to
+# random ports >= 1024.
+corenet_udp_bind_generic_port(spamd_t)
dev_read_sysfs(spamd_t)
dev_read_urand(spamd_t)
diff --git a/refpolicy/policy/modules/services/xdm.te b/refpolicy/policy/modules/services/xdm.te
index f38050e..6f12feb 100644
--- a/refpolicy/policy/modules/services/xdm.te
+++ b/refpolicy/policy/modules/services/xdm.te
@@ -6,11 +6,7 @@ policy_module(xdm,1.0.1)
# Declarations
#
-ifdef(`targeted_policy',`
- unconfined_alias_domain(xdm_t)
-',`
- type xdm_t;
-')
+type xdm_t;
# real declaration moved to mls until
# range_transition works in loadable modules
@@ -78,7 +74,9 @@ selinux_compute_user_contexts(xdm_t)
files_read_etc_runtime_files(xdm_t)
ifdef(`targeted_policy',`
+ allow xdm_t self:process execmem;
unconfined_domain_template(xdm_t)
+ unconfined_domtrans(xdm_t)
',`
allow xdm_t xdm_lock_t:file create_file_perms;
files_create_lock(xdm_t,xdm_lock_t)
diff --git a/refpolicy/policy/modules/system/hostname.te b/refpolicy/policy/modules/system/hostname.te
index 1200282..bfc5fdb 100644
--- a/refpolicy/policy/modules/system/hostname.te
+++ b/refpolicy/policy/modules/system/hostname.te
@@ -1,5 +1,5 @@
-policy_module(hostname,1.0)
+policy_module(hostname,1.1.1)
########################################
#
@@ -22,7 +22,6 @@ allow hostname_t self:capability sys_admin;
allow hostname_t self:unix_stream_socket create_stream_socket_perms;
dontaudit hostname_t self:capability sys_tty_config;
-kernel_dontaudit_use_fd(hostname_t)
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 7c08d2c..38ab298 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -31,18 +31,6 @@ interface(`init_domain',`
allow init_t $1:fd use;
allow $1 init_t:fifo_file rw_file_perms;
allow $1 init_t:process sigchld;
-
- # Red Hat systems seem to have stray
- # fds open from the initrd
- ifdef(`hide_broken_symptoms',`
- # Red Hat systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_redhat',`
- kernel_dontaudit_use_fd($1)
- storage_dontaudit_read_fixed_disk($1)
- files_dontaudit_read_root_file($1)
- ')
- ')
')
########################################
@@ -82,16 +70,6 @@ interface(`init_daemon_domain',`
typeattribute $2 direct_init_entry;
')
- ifdef(`hide_broken_symptoms',`
- # Red Hat systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_redhat',`
- kernel_dontaudit_use_fd($1)
- storage_dontaudit_read_fixed_disk($1)
- files_dontaudit_read_root_file($1)
- ')
- ')
-
ifdef(`targeted_policy',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
@@ -163,16 +141,6 @@ interface(`init_system_domain',`
allow $1 initrc_t:fd use;
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
-
- ifdef(`hide_broken_symptoms',`
- # Red Hat systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_redhat',`
- kernel_dontaudit_use_fd($1)
- storage_dontaudit_read_fixed_disk($1)
- files_dontaudit_read_root_file($1)
- ')
- ')
')
########################################
diff --git a/refpolicy/policy/modules/system/libraries.fc b/refpolicy/policy/modules/system/libraries.fc
index 28c1670..95104c1 100644
--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@@ -62,7 +62,8 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
@@ -103,7 +104,6 @@ ifdef(`distro_redhat',`
/usr/lib/valgrind/hp2ps -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/valgrind/stage2 -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/valgrind/vg.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr/lib/.*/libxpcom_core.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/.*/program/libsts645li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
@@ -113,6 +113,10 @@ ifdef(`distro_redhat',`
/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/lib(64)?/thunderbird.*\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
# Fedora Extras packages: ladspa, imlib2, ocaml
/usr/lib/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 7ba9087..79ac468 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.0.1)
+policy_module(libraries,1.1.1)
########################################
#
@@ -42,12 +42,8 @@ ifdef(`targeted_policy',`
# texrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
-ifdef(`targeted_policy',`
- typealias lib_t alias texrel_shlib_t;
-',`
- type texrel_shlib_t;
- files_type(texrel_shlib_t)
-')
+type texrel_shlib_t;
+files_type(texrel_shlib_t)
########################################
#
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index a2116d1..b5cd6a1 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -168,13 +168,6 @@ userdom_use_unpriv_users_fd(local_login_t)
# Search for mail spool file.
mta_getattr_spool(local_login_t)
-# Red Hat systems seem to have a stray
-# fd open from the initrd
-ifdef(`distro_redhat',`
- kernel_dontaudit_use_fd(local_login_t)
- files_dontaudit_read_root_file(local_login_t)
-')
-
ifdef(`targeted_policy',`
unconfined_domain_template(local_login_t)
unconfined_shell_domtrans(local_login_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 9c724ba..a3668f8 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.0.1)
+policy_module(mount,1.1.1)
########################################
#
@@ -26,7 +26,6 @@ allow mount_t mount_tmp_t:dir create_dir_perms;
files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
kernel_read_system_state(mount_t)
-kernel_dontaudit_use_fd(mount_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
More information about the scm-commits
mailing list